1. 前言
为了解决SSL通信层安全漏洞需要修改操作系统的部分内容,可能会导致服务器上面的SQLServer数据库启动失败, 提示错误信息为:
TDSSNIClient 初始化失败,出现错误 0x139f,状态代码 0x80。原因: Unable to initialize SSL support. The group or resource is not in the correct state to perform the requested operation.
这里描述一下解决方法.
2. 加固处理部分(From同事资料)
2.1 修改注册表,禁用RC4加密协议
使用regedit打开注册表添加如下表象,并且双字节项目为0
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ Ciphers \ RC4 128/128]
“Enabled”= dword:00000000
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ Ciphers \ RC4 40/128]
“Enabled”= dword:00000000
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ Ciphers \ RC4 56/128]
“Enabled”= dword:00000000
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ Ciphers \ RC4 64/128]
“Enabled”= dword:00000000
2.2 修改组策略
使用gpedit.msc 打开本地组策略.
打开本地计算机策略->计算机配置->管理模板->网络->SSL配置设置
修改SSL密码套件顺序
删除原来密码套件内的内容, 并且添加如下内容
---
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA,WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_NULL_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA
---
然后设置SSL密码套件顺序 为 启用状态.
重启服务器.
3. SQLServer问题修正
如果SQLServer的版本是SQLSERVER2014SP1以及一下,SQLSERVER2008R2SP3以及一下.会出现启动失败,或者是无法连接的问题, 在这里需要进行sqlserver的补丁更新.
https://support.microsoft.com/en-us/topic/kb3135244-tls-1-2-support-for-microsoft-sql-server-e4472ef8-90a9-13c1-e4d8-44aad198cdbe
可以看一下内容
Introduction
This article provides information about the updates that Microsoft is releasing to enable TLS 1.2 support for SQL Server 2017 on Windows, SQL Server 2016, SQL Server 2008, SQL Server 2008 R2, SQL Server 2012, and SQL Server 2014. This article also lists supported client providers. SQL Server 2016, SQL Server 2017, and SQL Server 2019 support TLS 1.2 without the need for an update.
Several known vulnerabilities have been reported against SSL and earlier versions of Transport Layer Security (TLS). We recommend that you upgrade to TLS 1.2 for secure communication.
Important No known vulnerabilities have been reported for the Microsoft TDS implementation. This is the communication protocol that's used between SQL Server clients and the SQL Server database engine. The Microsoft Schannel implementation of TLS 1.0 (regarding the known vulnerabilities that have been reported to Microsoft as of the publication date of this article) is summarized in Schannel implementation of TLS 1.0 in Windows security status update: November 24, 2015.
简单翻译一下 2015年12月份之前的版本都有漏洞需要打补丁
SQL2016 2017 2019 是可以不用打补丁就带TLS1.2支持的.
SQL2008R2 2012 2014 都需要打补丁,而且每个服务器的版本都不一样,有在SP补丁包里面支持,有的是CU补丁支持的.
但是有一些注意事项
1. 需要对应sqlserver的版本,比如32位还是64位
2. 需要注意sqlserver的语言版本中文和英文的补丁不互相通用.
3. SQLServer2008r2的数据库不是SP3补丁解决的问题 还是需要先更新SP3的补丁包,然后再更新一个增量补丁进行处理.
如下是SQLServer2014的补丁下载位置以及SQLServer2008r2需要的补丁编号
SQL2014
https://go.microsoft.com/fwlink/?linkid=2034575&clcid=0x409
SQL2008R2
SQLServer2008R2SP3-kb2979597-x64-chs.exe
SQLServer2008R2-KB4057113-x64.exe
# 注意 第一个SP3补丁是SP包,需要先安装再更新后面一个补丁. 大小都大约为300m 上下.
# 更新了补丁之后重启服务器即可.
文章转载自济南小老虎,如果涉嫌侵权,请发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。
